{ config, inputs, ... }:
let
  dns = "duckdns";
  domain = "badbayan.duckdns.org";
  email = "badya65@gmail.com";
in {
  age.secrets = with inputs.self.modules; {
    ${dns}.file = secrets.${dns};
  };

  security.acme.certs.${domain} = {
    environmentFile = config.age.secrets.${dns}.path;
    domain = "*." + domain;
    dnsPropagationCheck = true;
    dnsProvider = dns;
    inherit email;
    extraDomainNames = [ domain ];
    inherit (config.security.acme.defaults) group;
  };

  services.nginx.virtualHosts = {
    ${domain} = {
      forceSSL = true;
      enableACME = true;
      acmeRoot = null;
      globalRedirect = "notbad.dynv6.net";
    };

    "*.${domain}" = {
      forceSSL = true;
      useACMEHost = domain;
      globalRedirect = domain;
    };
  };
}
